Re: Attn MCI/UUNet - Massive abuse from your network

["Jeff Shultz" <jeffshultz () wvi com>]

** Reply to message from Brad Knowles <brad.knowles () skynet be> on Fri,
25 Jun 2004 18:14:43 +0200

> At 8:44 AM -0700 2004-06-25, Jeff Shultz wrote:
>
> >  At least if someone in this "clearing house" sells it to the
> >  terrorists, they will have had to work for it a bit, instead of having
> >  us hand it to them on a silver platter, as the FCC seems to want.
>
>       Not true.  If the information is forced to be completely in the 
> open, then everyone knows it's not insecure and no one depends on the 
> fact that it was supposed to be kept secret.  This is a case where 
> you are more secure the more open the information is -- indeed, as we 
> are in most cases, which is why we have the age-old security mantra 
> of "security through obscurity is not secure".

Do you realize that the basic element of security, the password, is
based on the entire premise you just dismissed? And yet we still use
them - and depend on the fact that they are supposed to be kept secret.

The problem with being totally open about infrastructure is that there
are some vulnerabilities that simply cannot or will not be fixed -
wires sometimes have to run across bridges, redundant pumping stations
are too expensive... in these cases is it not better to hide where
these vulnerabilities are? 

The problem with your point is that even if the information is forced
to be completely in the open, that is no guarantee that it will be
fixed, and people _do_ depend on this stuff, regardless of its
reliability or security. 

Do you really think that if we publish all the insecurities of the
Internet infrastructure that anyone is gonna stop using it, or
business, government, and private citizens are going to quit depending
on it? 

Security through obscurity is not secure - but sometimes it's all you
have.

-- 
Jeff Shultz
A railfan pulls up to a RR crossing hoping that
there will be a train.